| Information on the Nimda Worm Summary: A new worm, officially called W32/Nimda@MM, is circulating on the Internet and affecting large numbers of customers using Windows operating systems. Microsoft is working with the anti-virus community and other security experts to thoroughly investigate the worm. If you haven't already installed the appropriate updates and/or patches, your computer can become infected. www.tartoos.com *** Actions You Should Take End Users 1. Prevent infection from email or infected Web sites by updating Internet Explorer as detailed below in the section titled "Email". 2. Prevent infection via file shares by ensuring that you have no unprotected file shares, as discussed below in the section titled "File Shares". www.tartoos.com System Administrators 1. Ensure that all workstations on your network are protected against infection from email or infected Web sites by installing any of the updates listed in the section below titled "Email". 2. Protect Web servers by taking two steps: * Protect against the Code Red II worm, which leaves a "back door" that Nimda exploits, by installing any of the updates discussed below in the section titled "Web Servers". Servers that already have been infected can be cleaned using a tool Microsoft provides. * Block the "Web Server Folder Traversal" vulnerability by taking any of the steps listed below under "Web Servers" 3. Prevent spread through file shares by ensuring that your workstations and servers have no unprotected file shares, as discussed below in the section titled "File Shares". www.tartoos.com Additional Information The official name of the worm is W32/Nimda@MM, but it is generally referred to as the "Nimda" worm. It attempts to spread via three different means: * Email: Infected machines attempt to spread the infection to other users by sending copies of the worm via email. * Web servers: Infected machines attempt to pass the infection to web servers by either locating an already compromised server, or by exploiting a known security vulnerability in Internet Information Server. Once infected, a web server will attempt to infect the machines of any users that visit it. www.tartoos.com * File shares: Infected machines will search for systems that have been configured to allow anyone to add files to them and, upon finding such a machine, will insert infected files onto it. Email The worm spreads via email by sending a copy of itself within a mail that exploits the security vulnerability discussed in Microsoft Security Bulletin MS01-020. As the bulletin describes, the vulnerability lies in Internet Explorer, but can be exploited via email. Simply opening the email itself would be sufficient to infect the machine – it would not be necessary to open an attachment. Anti-virus vendors are currently developing updated scanning tools that will detect and disarm mails sent by the virus. But even in the absence of these tools, patches and updated versions of IE have been available for some time to eliminate the vulnerability. Customers who have installed any of the following updates would be at no risk of infection by email: * The patch provided in Microsoft Security Bulletin MS01-020. * The patch provided in Microsoft Security Bulletin MS01-027. * Internet Explorer 5.01 Service Pack 2. * Internet Explorer 5.5 Service Pack 2. * Internet Explorer 6. (If you are installing IE 6 as an upgrade on a Windows 95, 98, 98SE or ME system, be sure to select Full Install as the installation type). www.tartoos.com Web Servers When the worm attacks IIS 4.0 and 5.0 Web servers, it does so through either of two means. First, it checks to see if the computer was previously compromised by the Code Red II worm, which creates a "back door" that any malicious user can use later to gain control of the system. If the Nimda worm finds such a computer, it simply uses the back door created by Code Red II to infect the system. Second, the worm attempts to exploit the "Web Server Folder Traversal" vulnerability. If it succeeds in exploiting this vulnerability, the worm uses it to infect the system. A tool is available to remove the back door created by the Code Red II worm. However, the best course of action is to prevent the Code Red II worm altogether, by taking any of the following steps: www.tartoos.com * Applying the patch provided in Microsoft Security Bulletin MS01-033 * Applying the patch provided in Microsoft Security Bulletin MS01-044 * Installing the Windows NT 4.0 Security Roll-up Package * Running the IIS Lockdown Tool in its default mode * Installing the URLScan tool with its default ruleset. The "Web Server Folder Traversal" vulnerability can be blocked by taking any of the following actions: * Applying the patch provided in Microsoft Security Bulletin MS00-057 * Applying the patch provided in Microsoft Security Bulletin MS00-078 * Applying the patch provided in Microsoft Security Bulletin MS00-086 * Applying the patch provided in Microsoft Security Bulletin MS01-026 * Applying the patch provided in Microsoft Security Bulletin MS01-044 * Installing Windows 2000 Service Pack 2 * Installing the Windows NT 4.0 Security Roll-up Package * Running the IIS Lockdown Tool in its default mode * Installing the URLScan tool with its default ruleset. Once a server is infected, it attempts to pass the infection to any machines that visit the web sites it hosts. Like the email vector, it does this using the vulnerability discussed in Microsoft Security Bulletin MS01-020. Customers who have taken any of the steps discussed in the section titled "Email" are fully protected against the web-borne vector as well. www.tartoos.com File shares The final means by which the worm tries to spread is through file shares. Windows systems can be configured to allow other users to read files from them or write files to them. By default, Windows systems only allow the authorized user of the system to access the files on it. However, if the worm finds a system that has been configured to allow other users to create files on it, it adds files that spread the infection. To protect against infection via this vector, minimize the number of users who can access your file system. If you have file shares you do not need, remove them. For any remaining ones, ensure that you've given other users as few privileges as possible. Finally, if you're using Windows NT 4.0 or Windows 2000, make sure that you have a strong password for the Administrator account – if you leave it blank, you've essentially given the world the ability to add files to your system. The Microsoft Baseline Security Analyzer (available for Windows NT 4.0 and Windows 2000) can help ensure that your system is securely configured. www.tartoos.com Get and Stay Secure: The Microsoft Strategic Technology Protection Program Computer security over the Internet is a worldwide concern fundamental to the way we live and do business. To help ensure this security, Microsoft is mobilizing its people and resources in the Microsoft Strategic Technology Protection Program (STPP) - that integrates products, services, and support. This program's first offering is the Microsoft Security Tool Kit CD, which includes best practice guides, information on securing your system, and service packs and patches that can help ensure your system is protected against attacks. www.tartoos.com More Resources Microsoft is continuing to investigate this worm, and will provide updated information as we learn it. In the meantime, additional information is available from the following sources: * How ISA Server Can Be Configured to Help Prevent the Nimda Worm * CERT Coordination Center * Aladdin * Alwil * BindView * Computer Associates * ESET * Kaspersky Labs * Panda Software * McAfee * Norman * Sophos * Symantec Security Response * Trend Micro |